Dr. Christopher Kunz

That was a weird week. I think I rarely changed locations that often, and I kinda lost track of what time zone, currency and/or event I was currently at. However, it turned out to be a very rewarding week, too.

All in all, I roughly travelled around 5600 km, which is probably quite a lot given the fact that I otherwise leave Hannover rarely. I changed timezones twice, currencies 4 times (including transit airports), and spoke at two different (un-)conferences. There were nights in school gyms, Sofia park bars, hostel dorms and for 2 nights, I even slept in my own home (tue->wed->thu).

My overall perception was that the security topic is still kinda “hot” and although most attendees (naturally, those at PHP Vikinger were more on top of things) seemed to have a firm grasp of what could go wrong with PHP applications, there is still a lack of trustworthy and well-designed solutions to the various security dilemmas. As Kris Köhntopp said on the PHP Vikinger, using stuff like mod_security, our Hardening Patch or other assorted security products is not a real solution, since there is no programmatical and wellformed approach to them. Instead of having a defined and limited outer and inner area for applications (like, an array of all possible URL entries to the application, as well as all possible output it generates), we are putting out fires as they emerge. Of course, we do that because we currently have no other way of keeping our boxes alive and the attackers out as long as possible, but still, Kris has a point.

So there we are in Bulgaria, and two of the PHP Vikings actually made it here: Derick and me. As I write this, he’s having his first session about the eZ Components. The conference is very well-visited (with around 300 people attending to 2 tracks and some workshops) and so far has been pure fun. Bogomil, the organiser, and his wife have everything under control and they really know how to celebrate

Yesterday evening, we experienced the mighty power of Thor first-hand: A huge thunderstorm went down over Sofia and literally flooded everything. In a brave attempt to get to the hotel, me and some other attendees ran from the restaurant, only to be greeted with lots of car alarm sirens (due to the hailing) and lots of water from every direction. The roads were actually converted to rivers with water flowing about 10-20 cm deep. I am not kidding you.

Around 1pm, I’ll be in for my first session, talking about how to harden PHP and about the Hardened-PHP Project.

For about 4 hours now, the PHP Vikinger is in full swing. Everyone arrived between 10 and 11, and together we hacked up a makeshift agenda. Remember that this is an “unconference”, so attendees are in full charge of the whole event. Our lead viking Zak, inspired by the mighty power of Thor himself, took it upon him to moderate the scheduling and get everything started. Now, everyone who wants gets up and does a presentation, starts a discussion or - as Kris is currently doing - stipulates brainstorming with the attending core developers and other PHP nerds.

The current discussion is even somewhat strategic, pointing things out that PHP still lacks, things that need to adopt to changes in our environment and stuff that is really good in comparison to other languages. Kris is creating a list of everything that’s thrown at him and every item so far has been diligently discussed.

After that, Ilia and me will do some security stuff, with him doing introductions and me likely focusing on the server side. My obsession with securing servers without touching apps is well-known, plus it’s a good place to show off the Hardening patch.

Plane’s booked, train connection shouldn’t be a problem, and the crash pad (local school) is said to be open on friday, too... did I forget anything?

To everyone who’s coming: See ya on friday.

I am going to speak on the PHP Conference UK which will be held at South Bank University, London, UK on February 10th, 2006. Yes guys, that’s in less than three weeks

php.net has the following to say about the event: “Not bad for 50 quid”, and I think that’s kinda true. Amongst others, book author Harry Fuecks and Derick “the ez photographer” Rethans will be speaking, so register now! The conference will be the first of its kind in the UK and anyone who’s interested in PHP should seriously consider joining us for the 10th. You should, however, expedite your decision - Early Bird Discounts are only on offer until February 3rd.

My talk will focus on the Hardening-Patch for PHP, outlining the usual stuff (obtaining it, installing it, configuring it) as well as some real-life demos of what it does and how the patch has influenced the mainline PHP distributions. I will also be available for signing CACert accounts and general networking.

And, to top it off, I’ll spend a few more days in London to visit all museums and places I didn’t get around to during my stay over New Year’s.

Seit dem Wochenende ist die neue Website des Hardened-PHP Project online, an dem ich mitwirke. Zusätzlich zum mittlerweile in der Version 0.3.2 erschienenen Hardening-Patch für PHP werden wir eine Sammlung aller von uns herausgegebenen Advisories sowie weiteren PHP-Security bezogenen Content anbieten.

Und: Man kann uns mieten, um als Bugjäger eigene PHP-Applikationen auf Securityprobleme zu untersuchen.

Bruce Schneier schreibt in seinem Blog über eine Sicherheitslücke in Bluetooth, die nicht in der Theorie, sondern ganz praktisch in kürzester Zeit exploited werden kann und die Bluetooth-PIN (die zum Pairing zweier Geräte notwendig ist) innerhalb von wenigen Sekunden herausbekommen kann.

Er beruft sich auf ein Paper von den Israelis Shaked und Wool, das unlängst veröffentlicht wurde.

Ein netter Herr auf einer Mailingliste hat in seinen Mailformularen mit Botspam zu kämpfen und möchte das unterbinden. Da man ja allerorten diese lustigen Bildchen mit den verdrehten Buchstaben sieht, dachte er sich “mache ich sowas auch mal”.

Allerdings steht nicht unbedingt zu vermuten, daß er mit der von ihm getroffenen Maßnahme das Spamaufkommen drastisch reduzieren wird.

So, da Spam Assassin scheinbar nicht willens ist, alle Nigeria-Scams wegzufiltern, dachte ich mir, ich mache was Unterhaltsames daraus. Spambaiting gibt’s schon (z.B. bei 419eater.com), also werde ich in diesem Posting alle mir angebotenen Beträge aufsummieren und mal sehen, was das in einem Monat ergibt.

Im extended Entry stehen die Daten mit der mir angebotenen Summe, also der genaue prozentuale Anteil. Die aufgeführten Mails sind teilweise als Spam markiert, teilweise als False Negative “durchgekommen” und von mir aus dem Junkfolder gefischt worden. Ich vermute, wenn ich keinen Spamfilter hätte, wäre das Monatsergebnis problemlos an einem Tag zu erreichen...